0 Replies Latest reply on Aug 23, 2019 8:58 AM by Ram Natarajan

    Fixes for Security Vulnerabilities in Wildfly 15.0.1

    Ram Natarajan Newbie

      Hello

      We are using Wildfly 15.0.1 and while looking at ways to harden security, we came across a few vulnerabilities that affect Wildfly. Details are given below:

       

      https://www.cvedetails.com/cve/CVE-2019-3894/  - It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.

       

      The site lists Wildfly 15.0.1 as impacted by this vulnerability. But references section has links to Red Hat patches but no links are available to Wildfly patches. Where can i find the patch/fix for Wildfly 15.0.1. If there is no patch, how should this vulnerability be addressed?

       

      A related question on vulnerability - https://www.cvedetails.com/cve/CVE-2018-10862/   indicates this is applicable to Wildfly Core 5.0, 6.0 Alpha1, 6.0 Alpha2. Since Wildfly 15.0.1 has Wildfly Core 7.0.0.Final, i was hoping this vulnerability was addressed in WF core 7.0.0. But i am not able to find any details about this in the release notes of Wildfly 15.0.0 or 15.0.1

       

      My questions are:

      1. Are there security patches available for vulnerabilities in Wildfly?

      2. Which document should i refer to know if vulnerabilities in older versions of Wildfly are addressed in newer version(s)?

       

      Thanks

      Ram

       

      @